caspol -reset not working

Question

Hi.  I'm trying to backout the security setting I set via this caspol command:

CasPol.exe -m -ag 1.2 -url file://.../* FullTrust

I've tried --

caspol -all -reset

caspol -reset

And I've also tried to delete the security.config and security.config.cch files.

But I am still able to run my EXE over a network share.

What else can I try to remove that security policy?

Answer 1

Hi Hanashiaru,

Do you mean that you want to return to the default Security Policy settings?

If yes, please try the following points:
How to: Return to the Default Security Policy Settings Using Caspol.exe
http://msdn.microsoft.com/en-us/library/bk67a586.aspx

Let me know if it works.

Thanks

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 2

Hi YiChun,

I actually did the following as suggested in this blog:

Delete Security.config and Security.config.cch.

Then run caspol -all -reset.

I saw Windows create new files for Security.config and Security.config.cch.

But when I tested my exe that exists on a network share, it worked.  Maybe it's just this particular PC.

On my Windows Virtual PC, the above works, and I do get the security exception error.

Answer 3

Hi Hanashiaru,

To isolate the cause of this particular PC, you can try the following steps:

- Create a new account in the same PC to eliminate user profile corruption related causes
- Test it on other clean machine

Let me know if it works.

Thanks

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 4

Hi YiChun,

I did as you suggested (Create a new account in the same PC to eliminate user profile corruption related causes).
But I am still able run my EXE of my network share.

As far as the other suggestion: I tested on my Windows virtual PC, and that works -- I get the Security Exception error.

The reason that I am going through this exercise is to show the HelpDesk folks who are in charge of PC/network security that the caspol -all -reset command will work to undo what caspol did.

I know this is nearing sacrilege,  but can I copy the security.config and the security.config.cch files (both reset with caspol reset) from my virtual PC to the PC that doesn't seem to take the caspol reset command?

Answer 5

Hi Hanashiaru,

The policy search order is:

1. A valid .cch file
2. security.config (depending on the level this may not actually be named security.config)
3. security.config.default
4. built in default policy

I found a helpful blog that discussed the policy search order. See: http://blogs.msdn.com/shawnfa/archive/2006/02/09/527688.aspx

Could you please check whether you can find security.config.default file on your PC? It is required to run caspol -all -reset.

Let me know if it works.

Thanks

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 6

Hi YiChun,

I could not find security.config.default.  I searched all of the c-drive.

I'm reading through the blog link you've sent.

I'm also looking at this artcle to see if I have an issue caused by a possible .NET Framework security config change.

Answer 7

Hi Hanashiaru,

More clarification with you. Where is your exe application?

Based on your description, the security policy level is Machine Level .

For default security configuration, I found that Enable Code Execution permission is granted to Yes. It means that the code execution is permitted by default. To restrict the permission, you should manually change it.

You can try .NET Framework 2.0 Configuration Tool to restrict it.
Please go to Control Panel >> Administrative Tools >> Microsoft .NET Framework 2.0 Configuration >> My Computer >> Runtime Security Policy >> Machine >> Code Groups >> Find the group that you added >> Right Click the group >> Properties >> Permission Set >> Change Permission Set to the permission you want.

You also can set your own permission set.
Please go to Machine >> Permission Sets >> Add.

If I misunderstood, please fee free to let me know.

Thanks

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 8

Hi Hanashiaru,

We are changing the issue type to “Comment” because you have not followed up with the necessary information. If you have more time to look at the issue and provide more information, please feel free to change the issue type back to “Question” by editing your initial post and changing the radio button at the top of the post editor window. If the issue is resolved, we will appreciate it if you can share the solution so that the answer can be found and used by other community members having similar questions.

Thank you!

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 9

Hi YiChun,    Sorry for the spotty replies.

I tried what you suggested in the previous post, but don't see where I added any groups under Machine -> Code Groups.  Would they be under one of the zones under All_Code?

Answer 10

Hi Hanashiaru,

Yes, it would be. Please have a try. And let me know if you can find it.

Thanks

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 11

Hi YiChun,    Didn't work.  I don't want to waste any more of your time.

I actually deleted the custom policies on my PC via .Net Framework 2.0 Configuration.  I then removed installed versions of .Net Framework from 3.5 to 2.0.  Then reinstalled 3.5 and 3.5, SP1.

When I ran my app off my network share, the darned thing worked.

Is it possible that I am actually experiencing the benefits of being on 3.5, SP 1, as described in this link?

"Managed applications that are opened from network shares have the same behavior as native applications by running with full trust."

Answer 12

Hi Hanashiaru,

I'm not quite sure whether your issue is related to core improvements to the common language runtime. Since you tried removing .NET Framework 3.5 and upgrading to .NET Framework 3.5 SP1, another possible assumption of the cause could be corrupted .NET Framework.

Anyway, I'm so glad to hear that your issue is solved even it takes you a long time. :)
I have marked your reply as answer. I think it will benefit other member who has similar issue as you.

Thank you very much.

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.